Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I want to Set a root password, and protect it so it CANNOT be changed, is there a way to do it?
The reason I ask, is that Me and a partner are starting a new venture, and we picked up another partner, that he knows, but I do not.
I don't trust him, because I do not know him. My partner does trust him though, but I just want to make sure he cannot lock me out of the servers we are going to be running, which I'll have to give him root access so that he can take care of stuff when He is the only one "in the office"(on the clock).
Could I run this command to stop the password file from being able to be "overwritten", so that the server cannot update the password, unless I undo it just to change the password:
chattr +i /path/to/passwd
Plus, do you know of a other way to log all the activity root does in shell/telnet? Other then writes to the ONE location the .bash history?
Distribution: Mandrake 9.0 1st/9.1 2nd/Gentoo 1.4 now
Posts: 313
Rep:
I think there is not way to do that because he have complete control over the server by being root and be root means you have control over everything, but I may be wrong this is just my opinion.
He can't lock you out of the server. Well, he can of course, if he has root, but you will have a good backup and in the worst case scenario you just restore the whole server from backups.
If just the root password has changed, and the server is otherwise OK, you boot from a floppy or CD and change the root password yourself.
U could be really nasty and change the passwd file to another name if u want to view what files have been change then why not try setup tripwire. As root he can pretty much do what he likes..........
Hmm, so as root, he will of course be able to do everything. Is there a way I can give him superuser powers, except not with the username root, where he cannot change the root password, but be able to do everything else I might need him to do?
Originally posted by ukndoit Hmm, so as root, he will of course be able to do everything. Is there a way I can give him superuser powers, except not with the username root, where he cannot change the root password, but be able to do everything else I might need him to do?
That's possible but tricky.
You can use sudo to give him access to specific commands, but you would have to list them all. I don't think there's an easy way to say "user x can do everything except change root's password".
You might also be able to use roles/groups to achieve something similar (depending on your distro) but again, excluding just one function is difficult.
There r ways that u can even block root from doing alot of things on a linux box take a look at this version of linux for example www.nsa.gov/selinux. This version of linux has Mandatory Access Controls which allows u to specify what u allow even root to do on the system.
Try using an app called LIDS this is MAC for Linux
Plus, do you know of a other way to log all the activity root does in shell/telnet? Other then writes to the ONE location the .bash history?
Please have a look at your other thread: http://www.linuxquestions.org/questi...hreadid=104533
Next time try to keep your questions in one place. It shows you know netiquette and saves us time and effort. Btw, IMHO logging *everything* root does isn't feasable unless you have separate syslog server with Terabyte storage.
Is there a way I can give him superuser powers, except not with the username root, where he cannot change the root password, but be able to do everything else I might need him to do?
"Sudo" is your tool of choice as the rest said, and I agree with that (some risks there too tho). ACL's are some way to curb risks, but they're not the whole solution. Btw, Grsecurity also works with ACL's and per-process capability restrictions.
The "better" answer would of course be to be honest about the trust problem and come up with a solution together. Unless you define trust very clearly (Iainr's roles/groups suggestion) it will remain nothing more than a gut feeling, and I wouldn't want to be dealing with admin policies based on something as opaque that...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.